JS: Replace csurf -> lusca.csrf from example and qhelp

asgerf · asgerf · commit 162419138d71 · 2022-12-14T12:30:15.000+01:00
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
@@ -25,7 +25,7 @@
 <recommendation>
 	<p>
 
-		Use a middleware package such as <code>csurf</code> to protect against CSRF attacks.
+		Use a middleware package such as <code>lusca.csrf</code> to protect against CSRF attacks.
 
 	</p>
 </recommendation>
@@ -58,6 +58,6 @@
 
 <references>
 	<li>OWASP: <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a></li>
-	<li>NPM: <a href="https://www.npmjs.com/package/csurf">csurf</a></li>
+	<li>NPM: <a href="https://www.npmjs.com/package/lusca">lusca</a></li>
 </references>
 </qhelp>
diff --git a/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareBad.js b/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareBad.js
@@ -1,11 +1,16 @@
-var app = require("express")(),
+const app = require("express")(),
   cookieParser = require("cookie-parser"),
-  passport = require("passport");
+  bodyParser = require("body-parser"),
+  session = require("express-session");
 
 app.use(cookieParser());
-app.use(passport.authorize({ session: true }));
+app.use(bodyParser.urlencoded({ extended: false }));
+app.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));
+
+// ...
 
 app.post("/changeEmail", function(req, res) {
-  let newEmail = req.cookies["newEmail"];
-  // ...
+  const userId = req.session.id;
+  const email = req.body["email"];
+  // ... update email associated with userId
 });
diff --git a/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareGood.js b/javascript/ql/src/Security/CWE-352/examples/MissingCsrfMiddlewareGood.js
@@ -1,12 +1,18 @@
-var app = require("express")(),
+const app = require("express")(),
   cookieParser = require("cookie-parser"),
-  passport = require("passport"),
-  csrf = require("csurf");
+  bodyParser = require("body-parser"),
+  session = require("express-session"),
+  csrf = require('lusca').csrf;
 
 app.use(cookieParser());
-app.use(passport.authorize({ session: true }));
-app.use(csrf({ cookie: true }));
+app.use(bodyParser.urlencoded({ extended: false }));
+app.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));
+app.use(csrf());
+
+// ...
+
 app.post("/changeEmail", function(req, res) {
-  let newEmail = req.cookies["newEmail"];
-  // ...
+  const userId = req.session.id;
+  const email = req.body["email"];
+  // ... update email associated with userId
 });
